Under the same origin policy, a web page served from server1.example.com cannot normally connect to or communicate with a server other than server1.example.com. An exception is the HTML
<script> element. Taking advantage of the open policy for <script> elements, some pages use them to retrieve Javascript code that operates on dynamically-generated JSON-formatted data from other origins. This usage pattern is known as JSONP.In the JSONP usage pattern, the URL returns the dynamically-generated JSON, with a function call wrapped around it. This is the "padding" (or sometimes, "prefix") of JSONP.
Use the 'src' element of the <script> tag:
<script type="text/javascript" src="http://server2.example.com/RetrieveUser?UserId=1823&jsonp=parseResponse"> </script> what received is parseResponse({"Name": "Cheeso", "Id" : 1823, "Rank": 7})
Security concerns
Including script tags from remote sites allows the remote sites to inject any content into a website. If the remote sites have vulnerabilities that allow JavaScript injection, the original site can also be affected. Cross-site request forgery
Naïve deployments of JSONP are subject to cross-site request forgery attacks (CSRF or XSRF).[1] Because the HTML
<script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site. This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site.i.e. Then you browse the malicious page while you've logged on to facebook, the malicious page may issue a request to facebook, potentially getting your facebook password
No comments:
Post a Comment